You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/governance/policy/concepts/compliance-states.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,15 +9,15 @@ ms.topic: conceptual
9
9
10
10
## How compliance works
11
11
12
-
When initiative or policy definitions are assigned, Azure Policy will determine which resources are [applicable](./policy-applicability.md) then evaluate those which have not been [excluded](./assignment-structure.md#excluded-scopes). Evaluation yields **compliance states** based on conditions in the policy rule and each resources' adherence to those requirements.
12
+
When initiative or policy definitions are assigned, Azure Policy will determine which resources are [applicable](./policy-applicability.md) then evaluate those which haven't been [excluded](./assignment-structure.md#excluded-scopes). Evaluation yields **compliance states** based on conditions in the policy rule and each resources' adherence to those requirements.
13
13
14
14
## Available compliance states
15
15
16
16
### Non-compliant
17
17
18
18
Policy assignments with `audit`, `auditIfNotExists`, or `modify` effects are considered non-compliant for _new_, _updated_, or _existing_ resources when the conditions of the policy rule evaluate to **TRUE**.
19
19
20
-
Policy assignments with `append`, `deny`, and `deployIfNotExists` effects are considered non-compliant for _existing_ resources when the conditions of the policy rule evaluate to **TRUE**. _New_ and _updated_ resources are not considered non-compliant in this case because enforcement will block or remediate resources which would otherwise be deemed non-compliant. When updating a previously existing non-compliant resource, the compliance state will remain non-compliant until the resource deployment and Policy evaluation complete.
20
+
Policy assignments with `append`, `deny`, and `deployIfNotExists` effects are considered non-compliant for _existing_ resources when the conditions of the policy rule evaluate to **TRUE**. _New_ and _updated_ resources aren't considered non-compliant in this case because enforcement will block or remediate resources which would otherwise be deemed non-compliant. When updating a previously existing non-compliant resource, the compliance state will remain non-compliant until the resource deployment and Policy evaluation complete.
21
21
22
22
> [!NOTE]
23
23
> The DeployIfNotExist and AuditIfNotExist effects require the IF statement to be TRUE and the
@@ -71,7 +71,7 @@ This compliance state indicates that the evaluation cycle hasn't started for the
71
71
72
72
## Example
73
73
74
-
Now that you have an understanding of what compliance states exist and what each one means, let's look at an example.
74
+
Now that you have an understanding of what compliance states exist and what each one means, let's look at an example using compliant and non-compliant states.
75
75
76
76
Suppose you have a resource group - ContsoRG, with some storage accounts
77
77
(highlighted in red) that are exposed to public networks.
@@ -80,7 +80,7 @@ Suppose you have a resource group - ContsoRG, with some storage accounts
80
80
Diagram showing images for five storage accounts in the Contoso R G resource group. Storage accounts one and three are blue, while storage accounts two, four, and five are red.
81
81
:::image-end:::
82
82
83
-
In this example, you need to be wary of security risks. Assume you assign a policy definition that audits for storage accounts that are exposed to public networks, and that no exemptions are created for this assignment. The policy checks for applicable resources (which includes all storage accounts in the ContosoRG resource group), then evaluates those resources which are not excluded from evaluation. It audits the three storage accounts exposed to public networks, changing their compliance states to **Non-compliant.** The remainder are marked **compliant**.
83
+
In this example, you need to be wary of security risks. Assume you assign a policy definition that audits for storage accounts that are exposed to public networks, and that no exemptions are created for this assignment. The policy checks for applicable resources (which includes all storage accounts in the ContosoRG resource group), then evaluates those resources which aren't excluded from evaluation. It audits the three storage accounts exposed to public networks, changing their compliance states to **Non-compliant.** The remainder are marked **compliant**.
84
84
85
85
:::image type="complex" source="../media/getting-compliance-data/resource-group03.png" alt-text="Diagram of storage account compliance in the Contoso R G resource group." border="false":::
86
86
Diagram showing images for five storage accounts in the Contoso R G resource group. Storage accounts one and three now have green checkmarks beneath them, while storage accounts two, four, and five now have red warning signs beneath them.
@@ -110,7 +110,7 @@ So how is the aggregate compliance state determined if multiple resources or pol
110
110
1. Unknown (preview)
111
111
112
112
> [!NOTE]
113
-
> [Not started](#not-started) and [not registered](#not-registered)are not considered in compliance rollup calculations.
113
+
> [Not started](#not-started) and [not registered](#not-registered)aren't considered in compliance rollup calculations.
114
114
115
115
This means that if there are both non-compliant and compliant states, the rolled up aggregate would be non-compliant, and so on. Let's look at an example:
0 commit comments